Google Cloud will often block key creation. It also does not make it easy to grant permission to change this for the admin account.
The below steps will consist of:
- Getting Set up and Finding your Organization ID
- Allow the Admin account (called user from here on out) to be used to update certain policies.
-
Disable the block on key account creation: iam.disableServiceAccountKeyCreation
STEP ONE: Getting Set up and Finding your Organization ID
- Go to https://console.cloud.google.com/iam-admin/iam
If you are not logged in, then please login with the email address of the account first used to create the Google Cloud Developer/Console project.
- Ensure you are on the IAM page, it will be Highlighted Blue in the Left Hand menu.
Click on Cloud Console Terminal in the top right-hand side, a terminal window will appear at the bottom of the page, wait for it to complete loading:
-
Find your Organization ID:
Entering the below text into the Cloud Console Terminalgcloud organizations list
You may see an authorization request pop up - allow authorization.
Organization ID should appear as below:
- Copy the ID.
STEP TWO: Allow the Admin account to update certain policies.
- Grant the “Organization Policy Administrator” Role to a User
You can grant the roles/orgpolicy.policyAdmin role to a user using the following command:gcloud organizations add-iam-policy-binding [ORGANIZATION_ID] \--member='user:email@example.com' \--role='roles/orgpolicy.policyAdmin'
- Replace [ORGANIZATION_ID] with your actual organization ID.
- Replace email@example.com with the email address of the user you want to grant the role to.
- It should appear similar to the below, just before you hit enter.
Once the text is replaced, hit enter.
- Verify the Role Assignment
Check to ensure the user has the correct permissions by using the below:gcloud organizations get-iam-policy [ORGANIZATION_ID]
Replace ORANIZATION_ID with the same ORG ID as before.
The results should be similar to the above.
Look for the user and check that they have the roles/orgpolicy.policyAdmin role.
- HARD refresh the browser window by holding SHIFT key and clicking the reload circular arrow of your browser. It can take a few minutes for the changes to apply.
STEP THREE: Disable the block on key account creation: iam.disableServiceAccountKeyCreation
Open the Organization Policies:
- In the left-hand navigation menu, select IAM & Admin > Organization Policies.
- In the Organization Policies page, you will see a list of policies for your organization.
Find the iam.disableServiceAccountKeyCreation Policy:
- In the search bar, type disableServiceAccountKeyCreation or look for “Service Account Key Creation” in the list of policies.
- Click on the policy when you find it.
Edit the Policy:
- Click the Edit button at the top of the policy page.
Disable the Policy:
- Change the setting to Disabled or Allow (depending on your interface, it can be different and this is confusing so try to infer as much as you can by reading around it).
- This step is what will allow service accounts to create new keys.
Save Changes:
- After disabling the policy, click Save to apply the changes.
- HARD refresh the browser window by holding SHIFT key and clicking the reload circular arrow of your browser. It can take a few minutes for the changes to apply.
Verifying Policy Change:
You can verify the change by entering in the below into the same Terminal window as before.
gcloud org-policies describe constraints/iam.disableServiceAccountKeyCreation --effective
You can now continue with the Service Account Key Creation Steps here